hint

Info:

This feature is only available if Beta Testing is switched on.

Here, external public PGP keys of users can be uploaded and managed.

Each uploaded external PGP key is displayed in a tile, with the following information:

  • Target email address
  • Status - e.g. uploaded, mail sent, expired
  • Fingerprint of the PGP key
  • Excerpt of the workflow timeline

Click Upload new key to open a side overlay.

There, upload the PGP public key file and enter the Target Email Address. This starts the confirmation workflow as described below.

anchor link PGP key details

Clicking on a PGP key opens the side overlay with the key details, showing the Fingerprint, the user decision,  the publication target and date, and the full timeline of the workflow.

Available actions:

  • Click Delete to delete the workflow for this PGP key. (The key itself can be deleted in GINA, or alternatively contact pgp@seppmail.cloud.)
  • Click Resend verification if necessary (not available if the key has already been confirmed).

anchor link Confirmation workflow

The PGP confirmation workflow is as follows:

  1. If there is already a valid S/MIME certificate for this email address in seppmail.cloud, the following message is displayed:
    We already have a S/MIME Certificate for this recipient, will not use PGP then.
  2. If the key can be found through public means (CERT, DANE, WKD or Keyserver on keys.openpgp.org), the key is directly trusted and imported.
  3. If none of those methods works, two mails are sent from pgp@seppmail.cloud to the target email address.
    1. The first mail is unencrypted and includes instructions and a link to possibly decline using PGP, and the possibility to send another S/MIME or PGP key via https://login.seppmail.cloud/noencrypt/xyz.
    2. The second email is encrypted, with a link of the pattern https://login.seppmail.cloud/#/pgpExtKeysUserDecision/xyz/accept to approve receiving PGP-encrypted mails (or https://login.seppmail.cloud/#/pgpExtKeysUserDecision/xyz/reject to reject it).
      1. If the accept link is confirmed, a confirmation mail is sent to the user that uploaded the key. Additionally, another PGP-encrypted confirmation is sent to the key owner with a link to GINA, letting them know that they can upload another key or delete this one.
      2. If the link has not been clicked and confirmed within 7 days, a mail is sent to the key uploader with the information that the PGP key upload was not confirmed and that they should get in direct contact with the key owner about this issue.